Deploying the Analytics subsystem on Linux x86_64

Deploy the API Connect Analytics subsystem on the Linux x86_64 cluster.

Before you begin

Verify that you copied the ingress issuers to the Linux x86_64 cluster.

Restriction: This task applies only to deployments where the Management and Portal subsystems were installed on Linux for IBM Z.

If you are deploying all subsystems to Linux x86_64, follow the instructions in Deploying all API management subsystems on Linux x86_64 (Platform UI) to install all subsystems at the same time with a top-level CR.

Procedure

  1. Run the following command to obtain the common name from the Analytics TLS certificate on the IBM Z cluster: 
    oc get secret <apiconnectCluster_name>-a7s-ing-client -o json | jq -r '.data."tls.crt"' | base64 -d | openssl x509 -text| grep CN | grep Subject | awk '{print $NF}'

    where <apiconnectCluster_name> is the name of the API Connect cluster.

  2. Create a file called analytics-certs.yaml with the following contents:

    Replace <apiconnectCluster_name> with the name of the API Connect cluster.

    #
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

---

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: analytics-ingestion-client
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "analytics-ingestion-client"
  }
spec:
  commonName: analytics-ingestion-client
  secretName: analytics-ingestion-client
  issuerRef:
    name: <apiconnectCluster_name>-ingress-issuer
  usages:
  - "client auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 720h # 30 days
  3. Run the following command to apply the analytics-certs.yaml file to the target namespace of the Linux x86_64 : 
    oc apply -f analytics-certs.yaml -n <namespace>
  4. Create a file called analytics_cr.yaml containing the desired Analytics CR configuration; for example:

    Replace <apiconnectCluster_name> with the name of the API Connect cluster, supply an appropriate value for <license_ID>, and replace <common_name> with the value you retrieved in step 1.

    apiVersion: analytics.apiconnect.ibm.com/v1beta1
kind: AnalyticsCluster
metadata:
  name: apic-dev-a7s
  labels:
    app.kubernetes.io/instance: analytics
    app.kubernetes.io/managed-by: ibm-apiconnect
    app.kubernetes.io/name: apic-dev-a7s
spec:
  standaloneCluster: true
  license:
    accept: true
    license: <license_ID>
    use: production
  certManagerIssuer:
    name: <apiconnectCluster_name>-self-signed
    kind: Issuer
  ingestion:
    enabled: true
    clientSubjectDN: 'CN=<common_name>'
    clientAuthEnabled: true
    configReloadAutomatic: true
    endpoint:
      annotations:
        cert-manager.io/issuer: <apiconnectCluster_name>-ingress-issuer
  profile: n1xc2.m16
  microServiceSecurity: certManager
  version: 10.0.6.0
  storage:
    clientAuthEnabled: true
    enabled: true
    type: shared
    shared:
      volumeClaimTemplate:
        storageClassName: ocs-storagecluster-ceph-rbd
        volumeSize: 20Gi
  5. Run the following command to apply the analytics CR: 
    oc apply -f analytics_cr.yaml -n <namespace>
  6. Run the following command to verify that the analytics cluster reports all services as READY: 
    oc get analyticscluster -n <namespace>